12.11 Visitor Logging and Pass Badges
Personal data held on visitor logs and pass badges in either paper or electronic form will be used to:
- enable identification of individuals authorised to be visiting the premises
- inform visitors of health and safety policy; and
- establish a roll call of persons on site
The personal data held is limited to:
- name of the visitor
- employer
- purpose of visit
- photographic image
- biometric data
- vehicle registration
- mobile phone number and
- email address
Right to be Informed – a statement of purpose should be included in or on a sign adjacent to the Visitor Log, (see section 15, G7 & G8). An explanation of how the personal data is processed should be included in the data controller’s Privacy Policy.
Data Subject Access Request – refer to section 8.1.
Consent – due to the lawful basis of this processing consent would not be required.
Archive Retention – the archive retention period is for the duration of a visitor’s attendance on site. Thereafter any personal data shall be deleted within 90 days unless a longer archive period is justifiable and sanctioned by the data controller.
Archive retention of data relating to incidents that are or may be the subject of investigation shall be until notification by the investigating body that the case is closed. Or in the absence of such notification for a period not exceeding 7 years.
Privacy – access to previous visitors’ data must not be accessible by subsequent visitors.
This can be achieved by means of a log book with privacy sheet or an electronic visitor management system.
The data must be securely destroyed (shredded) or, in the case of electronic management, deleted at the end of the archive period.
Access to electronic visitor logs shall be password protected and managed on computer devices identified by unique reference numbers logged in a Controlled Data Register. The data must be deleted at the end of the archive period.
Process – the following or similar process should be agreed between the landlord or managing agent with the security service provider, and included in the assignment instruction:
- Authorisation – where practicable, visitors and contractors must be either pre-booked by the host or confirmed by telephone.
- Pass Badge Issue – telephone the host to inform them of the arrival, assuming the host to be ready to escort the visitor. A badge should then be issued.
- Pass Badge Retrieval – on leaving site the visitor should hand in the pass badge, unless it is auto retrieved by the access control system, and be booked off site. Any paper pass badges are to be shredded.
- Archive Management – unless otherwise instructed by the data controller any visitor log books shall be shredded at the end of the archive period following the last entry. Electronic visitor log archives should be auto deleted at the end of the archive period.